On Tue, 2011-02-01 at 11:27 +0000, WebID Incubator Group Issue Tracker
wrote:
> Namely, privacy is not guaranteed, an intermediary (or a
> "webid/profile host") can detect a request from a server (say a bank,
> a private site, an adult site, a gambling site) to a users WebID URI
> and thus know the user has attempted to identify on said site.
s/know the user has/suppose the user may have possibly/
My WebID is <http://tobyinkster.co.uk/#i>. Of all HTTP requests for "/"
on my domain name, WebID authentication attempts make up a pretty small
fraction.
> This may be something which the protocol needs to address (for
> instance, force TLS for dereferencing), or may be something that is
> best noted and addressed by specification text (note as a security
> consideration and give advice).
Forcing TLS doesn't help much. The host of the profile still knows which
profile was requested and when. (They probably log it.)
This problem can be somewhat mitigated by providing multiple WebIDs in a
single document. e.g. if Alice and Bob's WebIDs are:
http://example.com/smith-family.rdf#alicehttp://example.com/smith-family.rdf#bob
Then when an HTTP request for <http://example.com/smith-family.rdf> is
made, nobody listening knows who (if anybody) is trying to authenticate.
Adult sites, and others which may want to protect their users privacy,
could make their HTTP requests via a proxy.
--
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>